SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
It's time for MacRansom: New ransomware goes after MacOS
Mon, 19th Jun 2017
FYI, this story is more than a year old

Fortinet has warned of a Ransomware-as-a-Service (RaaS) that is making its home on a webportal hosted on the TOR network, but this one specifically targets MacOS.

Fortinet says that because 92% of computers run Windows and 6% run MacOS, Mac users are often fooled into thinking their systems are secure.

However that thinking has been disproved and Fortinet believes MacRansom could be one of the first RaaS that targets Mac OS.

The ransomware demands 0.25 bitcoin, or around $700 US to decrypt files. The problem is, there may not be a way to decrypt files.

According to the creators, MacRansom has been designed for those who want to 'covertly retaliate' against another Mac user or those who want to attack 'unsuspecting family members, friends, colleagues and classmates'.

However, interested attackers must have physical access to the potential victim's Mac, unless they have social engineering skills that can trick users into downloading the ransomware. For an extra fee, the creators can deliver the ransomware over AirDrop and email.

According to Fortinet, they didn't believe that MacRansom was legitimate at first, they dug deeper into the mystery and contacted the creators.

The creators claimed they were Facebook and Yahoo engineers - "professional developers with experience in software development and vast interest in surveillance".

They also claimed the ransomware is invisible to Mac users until scheduled execution time; can encrypt files using 128 bit encryption in less than a minute; and has no digital trace associating it with buyers.

According to MacRansom's FAQ section, Mac users are willing to pay as much as $1000 to get their computer files back. It even boasts that $26,500 was paid by one small business owner.

Fortinet examined the claims and found that the ransomware checks to see if it's running in a Mac environment to detect whether it is being debugged.

Research also found that the encrypted files can't be decrypted once the malware has terminated. It does not try to communicate with the C-C server to gain access to the key for file decryption.

The company encourages users to be wary of opening files from unidentified sources and to make backups of their data, particularly as there may be no way to decrypt their files if they are affected by MacRansom.

When it comes to security, the only constant is change, whether it is the way networks are evolving or how these changes are creating new opportunities for criminals," commentsAamir Lakhani, Fortinet Senior Security Strategist.

“It is imperative that companies approach security from a holistic perspective. This includes making sure that every device is protected across all threat vectors, including Mac devices that were thought to be secure.

In response to this new wave of brazen ransomware attacks, Fortinet recommends Mac users to take the following preventive measures:

1. Apply patches and updates. Apple regularly provides security updates. Users must make sure they take the time to apply them.

2. Backup your device. Apple's Time Machine service will automatically create full system backups, which means that should a system get ransomed, one could simply wipe the device and perform a full system restore from backup. Regularly scan backups for vulnerabilities and store these backups offline. Offline storage is vital because Time Machine backup systems are often persistently connected to the device being backed up, and risk being compromised during an attack.

3. Encrypt data stored on device. While this may not be effective against many ransomware variants, it is still a good practice as it can protect an organisation should any device become infected with malware that is designed to steal files and data.

4. Install an endpoint security client. Look for endpoint solutions that will not only protect your device, but tie that security back into your network security strategy, allowing you to leverage and share threat intelligence to better protect your device and its assets.

5. Deploy security that covers other threat vectors.  As email is still the number one source for malware and infection, ensure that a robust email security solution is deployed. The same is true for web security tools, wired and wireless access controls, cloud-based security, and network segmentation strategies that help detect, isolate, and respond to threats found anywhere across a distributed environment.